moparisthebest
According to Google PlayStore, apps that contain or feature user-generated content (UGC), which include platforms like Twitter, Facebook, and Threads, must implement robust, effective, and ongoing UGC moderation. Google describes UGC as the content which is contributed to an app by users and which is accessible by “at least a subset of the app's users”.
So... All XMPP and email apps on Google play are in violation of this and Google just hasn't noticed yet?
singpolyma
I think UGC means public-ish and/or promoted by the app. So yes Conversations got hit by this for their public MUC search
web browsers get a pass probably because you have to know the url? so if you have to know the muc jid it's probably ok also
moparisthebest
I'm not so sure they see it that way
Conversations directs you to create an account on conversations.im etc
singpolyma
Yes, but when a reviewer looks at your app how will they find the unmoderated content?
moparisthebest
They won't, but a user can report it
singpolyma
I guess we'll find out if it comes to that
I am planing to maybe make a moderated / curated version of sjn partly because of this

opal
play store may as well be treated like a joke now
they targeted fediverse and 4chan apps plenty

MSavoritias (fae,ve)
Could SOAP be used instead of dbus for message passing?
or is it also xmpp directly?
i have heard that you can use also xmpp as dbus
also there is something called JOAP apparently
moparisthebest
Oh no I had nearly forgotten about SOAP, I only have a vague memory of pain
singpolyma
MSavoritias (fae,ve): there are several ways to do RPC with XMPP. XML-RPC, ad hoc commands, or custom iqs. Of course soap is also possible but that's never been specced I think?
MSavoritias (fae,ve)
there is soap over xmpp
but yeah was just curious. I have heard horrible stories about SOAP
😛
singpolyma
Properly deployed soap is honestly fine. It's just that like all enterprise tech, most of the stuff in the wild was poorly deployed
(fine if what you want/need is RPC of course)
These days they've renamed it graphql which is the same thing again with all new tech
MSavoritias (fae,ve)
ah classic
MSavoritias (fae,ve)
so reading through XEP-0402, if i want to make a p2p client with that i basically have to "fake" a server in my library don't I?
moparisthebest
For a P2P client you should just be running a whole server imho
Details are up to you
MSavoritias (fae,ve)
well i dont want to write a server and strap it to my library though 😛
Zash
embedded prosody?
moparisthebest
^
MSavoritias (fae,ve)
that still straps a server next to the client. which also has a library. seems like duplication of resources
instead i could have a library
just the library
moparisthebest
XMPP s2s is p2p, so you want a server, you can write all this logic or use an existing server
MSavoritias (fae,ve)
s2s is server to server its in the name
but anyway. i will see for another xep i guess.
Link Mauve
You could write a mod_client in Prosody, which would make it into a client on its own. 😃
moparisthebest
A client doesn't *have* to talk to a server over c2s it can do it's own thing there
But for P2P XMPP you definitely want something that talks s2s externally
singpolyma
You could write a mod_client in Prosody, which would make it into a client on its own. 😃
I think this exists, sort of
moparisthebest
A few probably, at least mod_rest or whatever
singpolyma
I think the LAN p2p xep is basically this, but relaxes s2s security stuff quite a bit due to trusting the local network
But yeah, I think depending on need "a whole server" makes it sound more complex than it is. It's just an authenticated XML stream, same as c2s
The real question is what happens when you're offline
MSavoritias (fae,ve)
for offline messages? gnunet supports offline messages at the transport layer between 1:1 on a DHT like i2pbote to my undrestanding
in group chats its an issue yeah
moparisthebest
I think the existing lan P2P xep was an interesting historical thing from the distant past where you didn't need encryption and could use local network discovery etc etc, but is pretty obsolete today
MSavoritias (fae,ve)
which needs to be solved anyway imo
moparisthebest
Today you just run a server and keep all the good stuff
MSavoritias (fae,ve)
fair but thats not what i asked 🙂
but point taken i cant use 0402 it seems
moparisthebest
so reading through XEP-0402, if i want to make a p2p client with that i basically have to "fake" a server in my library don't I?
I think it is 🙂 whether you call it "fake" or not you need a "server"
singpolyma
I think the LAN p2p is still useful, but only on a lan of course. It's fun at conferences for example
MSavoritias (fae,ve)
moparisthebest, nope i dont 🙂
pep.
I'm not sure stuff like 402 is interesting though. As you'd have multiple servers (one per client) now, not one per account
moparisthebest
I think the LAN p2p is still useful, but only on a lan of course. It's fun at conferences for example
But why bother when it's even easier to just run a server
Link Mauve
singpolyma, not any more, because no one else is using it any more, because clients dropped support.
singpolyma
moparisthebest: I don't understand the difference
Link Mauve
moparisthebest, and ask everyone at the conference to configure their credentials for your server?
moparisthebest
To scan a qr code? Sure
singpolyma
singpolyma, not any more, because no one else is using it any more, because clients dropped support.
Clients drop support for lots of things, can always add it back
moparisthebest
Or pass it around via avahi or whatever, still way way easier than implementing that
singpolyma
So you're saying advertise real jid via avahi? IIRC the xep does have a provision for that. That requires internet and exposes your JID but you're correct neither of those is an obstacle for me generally
moparisthebest
No I mean like, Snikket invite over avahi
singpolyma
In case they don't have a jid?
pep.
Or MUC-token-invite :-°
singpolyma
pep.: Yes
Definitely a needed thing
pep.
Maybe an invite token can also be stuffed in there somehow for an account to be created
(If needed)
moparisthebest
That's kinda what Snikket already does, but yes
pep.
No, Snikket invites get you an account, period
moparisthebest
I mean it puts new accounts into the same muc no?
pep.
If you have one already you can't use it
Yeah it does, the new account
singpolyma
Snikket invites get you a new account optionally + add a contact
If you use the xmpp URI version
moparisthebest
Yes I agree though, it'd be nice to "here use this to join from your existing account or create a new one and join"

New messages
MSavoritias (fae,ve)
is https://xmpp.org/extensions/xep-0246.html advisable for implementation?
XEP-0246: End-to-End XML Streams
i am asking because the serverless messaging is historical obviously
techmetx11
MSavoritias (fae,ve): what is serverless
this ^
moparisthebest
is https://xmpp.org/extensions/xep-0246.html advisable for implementation?
Hmm well you need to come up with a good way to authenticate the connections, if you are talking client-to-client they don't have ways to generate certs each other can trust yet
Sharing public key hashes over OMEMO or similar would work
opal
well i dont want to write a server and strap it to my library though 😛
you could masquerade as a server and just not send client stanzas ever lol
MSavoritias (fae,ve)
Sharing public key hashes over OMEMO or similar would work
got it. thank you
opal
XMPP s2s is p2p
thanks for the laugh
(genuinely laughed at that, its true but warping what p2p is supposed to entail)
moparisthebest

XMPP s2s is p2p thanks for the laugh It's not a joke, it's literally p2p

opal
its s2s, we're peers, they're servers
Zash
servers are peers
opal
Somebody who is, or something that is, at a level or of a value equal (to that of something else).
ok strictly speaking, sure
singpolyma
And if the "server" protocol is spoken by a client it's literally p2p
moparisthebest
Each server creates and maintains a connection to each and every other server, the exact definition of peer to peer
Zash
moparisthebest, pretty sure jingle has ways to share TLS pubkey/cert fingerprints for stuff like this
opal
well theres partial-mesh p2p as well thats mediated by something typically dht
moparisthebest
Hmm server discovery via dht you say? Intriguing...
MSavoritias (fae,ve)
for jingle p2p ^
opal
i am asking because the serverless messaging is historical obviously
0174 is finalised so i wouldnt say historical, just lack of support now because who the hell messes with mdns for messaging
MSavoritias (fae,ve)
agreed
Zash
anyone remember jingle nodes?
opal
i could see it useful in an organisational setting but typically corporations will be hosting a server anyway, so most use cases even for that are kinda meh
moparisthebest

there is https://xmpp.org/extensions/xep-0247.html Rekt: Note: It is STRONGLY RECOMMENDED to encrypt all end-to-end XML streams as described in Jingle-XTLS (currently located at http://xmpp.org/extensions/inbox/jingle-xtls.html). Those security flows are NOT described here.

opal
maybe when i go to my first DEF CON i'll advertise an xmpp ptr to their public wifi :>
moparisthebest
i could see it useful in an organisational setting but typically corporations will be hosting a server anyway, so most use cases even for that are kinda meh
And few organizations have everyone in the same building on the same network
opal
yeah thats true subnetting is a hurdle; so there you go, many things that break the illusion of serverless in the context of that xep
Zash
Meanwhile, using Slack to talk to the person sitting at the desk next to you
MSavoritias (fae,ve)
moparisthebest, gnunet is already encrypted on the transport level 😉
for jingle omemo
opal
zash: sorry to inform you but your browser is unsupported next month, we need to change random UI elements to confuse the hell out of you when you come back into the office
Zash
XTLS is one of those legendary things that were supposed to solve all problems, but somehow never got accepted?'
MSavoritias (fae,ve)
it seems interesting but tls is tied to DNS isnt it?
so useless to me
opal
wait like, tls over xmpp? what the fuck
Zash
MSavoritias (fae,ve), incorrect
singpolyma
No, TLS is unrelated to DNS mostly
MSavoritias (fae,ve)
ah
will take a look then 🙂
opal
man i still wish s/mime didnt fall on its face outside of business settings
i still want an s/mime certificate
MSavoritias (fae,ve)
so that means i can also use RFC 7590 potentially. nice 😃
Zash
Is that raw public keys?
opal
rfc 8823 already exists to issue s/mime over acme :<
moparisthebest
Hmm server discovery via dht you say? Intriguing...
Now I can't stop thinking about this
opal
moparisthebest, lol i missed that message sorry
Trung

Hmm server discovery via dht you say? Intriguing... Now I can't stop thinking about this +1

opal
yeah lets just put dns inside the other protocol and call it something else and use kademlia thatll fix things :^)
Zash

There is nothing in any of these standards that would prevent me from including a 1 gigabit MPEG movie of me playing with my cat as one of the RDN components of the DN in my certificate. -- Bob Jueneman on IETF-PKIX

Not even X.509 is tied to DNS
opal
oh man i could pipe this over irc
moparisthebest
opal
nah the cat mpeg
Zash
Web PKI is why everything is tied to DNS, and why we can't have nice things like XMPP-only certificates
opal
moparisthebest, i piped towel.blinkenlights.nl to irc before
singpolyma

Hmm server discovery via dht you say? Intriguing... Now I can't stop thinking about this What's the advantage over DNS?

MSavoritias (fae,ve)
Sharing public key hashes over OMEMO or similar would work
specifically this https://xmpp.org/extensions/xep-0250.html
but with omemo
moparisthebest

Now I can't stop thinking about this What's the advantage over DNS? Having thought about it for 2 minutes, it could be a solution for hosting XMPP servers securely without domain names or DNS without resorting to Tor

singpolyma
Isn't it the same as using Tor?
moparisthebest
tl;dr Tor .onion domains but over clearnet, pinned TLS without needing CAs or DNSSEC or DANE
Trung

What's the advantage over DNS? Having thought about it for 2 minutes, it could be a solution for hosting XMPP servers securely without domain names or DNS without resorting to Tor Yes. Records will have similar advantage as a .torrent. It would be pretty cool

singpolyma
I would built atop an existing DHT or similar. Which in practise for this means ipfs or Tor probably
opal
ik tor is the first example to come to everyones head when thinking of "not dns" but it doesnt even use dht
MSavoritias (fae,ve)
^
Trung

Sharing public key hashes over OMEMO or similar would work specifically this https://xmpp.org/extensions/xep-0250.html

but with omemo i'm experiencing some terrible omemo bug with Profanity atm... to the point i'm for now only using Conversation so not too sure on this one.

moparisthebest
Tor is great but the downside is it's a bit too slow for calls etc, doing something like this could give us the security of onion domains but over clearnet (and obviously lose the Privacy of Tor too)
opal
lets take a step back, we're talking about dht to essentially share ip addresses, right? why not just compare it to bittorrent at this rate
MSavoritias (fae,ve)
profanity doesnt care about omemo afaik. they push fox OX more
opal
profanity implements omemo and its one of the tui clients that does it reasonably well
singpolyma
moparisthebest: you don't need to send calls etc Traffic over Tor to use onion names
opal
pray tell how "onion names" are useful in any way here
moparisthebest
lets take a step back, we're talking about dht to essentially share ip addresses, right? why not just compare it to bittorrent at this rate
Basically yes, but they'd need signed etc
singpolyma
opal: p2p server naming if you don't want to use dns
moparisthebest
pray tell how "onion names" are useful in any way here
You want to set up a server but don't own a domain name
MSavoritias (fae,ve)
but then why not use GNS which is also backwards compatible with DNS
opal
ok i dont think public-key hashes will help with supplanting dns
you have my pubkey, how are you gonna connect to me, lol
singpolyma
That's what onion names are good at 🙂
Getting a connection out of the key hash
There are other equivalent solutions of course
moparisthebest
you have my pubkey, how are you gonna connect to me, lol
Getting your signed connection details from a dht
opal
i think you misunderstand that "onion names" are useless on their own, they leverage tor dirauths to actually look up the hidden service location within the tor network (well, its tunnels)
singpolyma
opal: that... Doesn't sound useless?
opal
moparisthebest, i can sign an ip address without even mentioning any aspect of tor
singpolyma, tor's more centralised than you think, that's my point
singpolyma
Sure. I'm not sure if that matters or not
opal
well we can add a dirauth bootstrap to xmpp and start a committee to ban bad nodes off the network if thats what youre after
singpolyma
DNS is also less centralized that some people think. It all depends on goals
opal
i just think the tor metaphor is verrrrrrry naïve to use here
singpolyma
What metaphor?
opal
comparing dht to tor in the first place
singpolyma
They're both semi centralized lookup services for keys to metadata that can allow a connection
opal
look at its cousin, i2p, if you want something slightly closer to the goal here
singpolyma
I don't think we decided what the goal is
opal
but then the i2p thing breaks when you start thinking about its use of pet names and hosts files 🙂
(i suppose you could call a JID a "pet name" and your roster your "hosts file" lol)
singpolyma
Anyway, my point was just that DNS can probably be made to work in most cases and when not there are a bunch of existing solutions depending on goals. I don't think we need to invent or spec anything
opal
i mean, all this discussion is useful especially if we start talking about encrypted layer-3 transits such as cjdns, yggdrasil, even some vpn like dn42 or anonet
well the latter still require tls for transit encryption nvm
former two are perfect examples though, everyone can "directly" (i.e. no nat bullshit) connect to everyone else in the network, encrypted and verified by the ip address (pubkey) alone
moparisthebest
If you have public-key-is-your-IP like cjdns you don't need DNS or TLS or discovery at all
opal
yeah
well, discovery?
how do you know 202:8478:47ac:3fff:177c:a994:51e4:9c55 has any xmpp resources attached without either asking me or scanning the whole network
singpolyma
Because it's in the domainpart of a jid
opal
oh youre saying i could just give you opal@[202:8478:47ac:3fff:177c:a994:51e4:9c55] and it'll suffice
singpolyma
Yes
opal
gotcha
singpolyma
I assume cjdns sucks on mobile like most such things. Does anyone know?
opal
i assume cjdns sucks but cjd is a cool guy 😃
Zash
all p2p sucks on mobile
opal
(i looked at the codebase back when node was still a requirement)
yggdrasil on mobile is usable
moparisthebest
It's been like a decade since I touched that
Zash
at best, it sucks massive amounts of power
and this is why I'm firmly behind the federated client-server model 🙂
opal
ygg is dormant unless you route, and typically youre chosen for routing if you have good access to two peers
moparisthebest
That's another bonus point for DHT XMPP server discovery, it only eats battery during the discovery phase 🙂
opal
yeah c2s is a good stopgap for the current internet
Zash
p2p things tend to be chatty, as does chat things
singpolyma
Well, all p2p is fake and semi centralized. If mobile leeches it can maybe work. I don't know how much that's been tried
opal
lets just communicate telepathically, problems solved
singpolyma
moparisthebest: if leeching, yes
Zash
singpolyma, no no, these are not servers, they're "supernodes" and that's not centralization, they're called "bootstrap nodes" 🙂
singpolyma
The reason DHT burns power is if you make every mobile client a member of the DHT
Zash: ah, yes. The good old "bootstrap node" at irc.libera.chat 😉
opal
lesson learned: turtles all the way
moparisthebest
Zash
Did they just introduce TorCoin??
opal
lol @ hidservs still suffering from DoS
also lol @ the DNMs and the reddit clone being "protected" by some stupid captcha and a script to drop circuits on failure
i'd say half of it is because they all run bloated dynamically-generated php websites, and the other half is tor's slow circuit-building process
oh man that was recent moparisthebest
yeah ive been hearing talk about PoW on the MLs on and off over the years
Did they just introduce TorCoin??
looks like a one-time challenge which is honestly reasonable, just offloads cpu requirement to the client